Toyota Italy, Toyota Motor's Italian sales and marketing arm, for more than one-and-a-half years exposed secrets for its Salesforce Marketing Cloud and Mapbox APIs, Cybernews research team found.

Cybercriminals could use this data to gain access to Toyota clients’ phone numbers and email addresses and use the this information to launch phishing attacks.

The leak came to light in mid-February 2023, when the researchers discovered an environment file (.env) hosted on the official Toyota Italy website, exposing credentials to the digital marketing platform Salesforce Marketing Cloud.

This could allow malicious actors to gain access to phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents and use this data for various purposes like sending bogus SMS messages and emails, or editing marketing campaigns and content tied with the Salesforce Marketing Cloud.

“This leak is significant as it could have been used to launch somewhat sophisticated phishing campaigns, as attackers would have had access and control over Toyota's official communication channels, making it more likely that victims would fall for such an attack, since the sender information would be legitimate,” Cybernews researchers said.

Furthermore, the environment file also exposed Mapbox’s application programming interface (API) tokens, used to query map data.

Cybernews says that the file was first indexed by internet of things (IoT) search engines on May 21, 2021. The leak was addressed only in February 2023 after the researchers informed Toyota about the issue.